Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 436028 (CVE-2012-3524)

Summary: <sys-apps/dbus-1.6.8,<dev-libs/glib-2.32.4-r1: Local privilege escalation and arbitrary code execution via DBUS_SYSTEM_BUS_ADDRESS (CVE-2012-3524)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: gnome, john, ssuominen
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cgit.freedesktop.org/dbus/dbus/commit/?id=23fe78ceefb6cefcd58a49c77d1154b68478c8d2
Whiteboard: A1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 416725, 427544    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2012-09-23 20:23:13 UTC 
CVE-2012-3524 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3524):
  libdbus 1.5.x and earlier, when used in setuid or other privileged programs
  in X.org and possibly other products, allows local users to gain privileges
  and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment
  variable.  NOTE: libdbus maintainers state that this is a vulnerability in
  the applications that do not cleanse environment variables, not in libdbus
  itself: "we do not support use of libdbus in setuid binaries that do not
  sanitize their environment before their first call into libdbus."
Comment 1 Agostino Sarubbo gentoo-dev 2012-09-23 22:56:00 UTC 
Who sets the whiteboard as [ebuild]? what is for you the fixed version?

Upstream has not yes fixed this issue.
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2012-09-24 06:46:48 UTC 
dbus-1.6.4 has the patch for this CVE and is for stabilization (as in, -r0 is for stabilization)

dbus-1.6.4-r1 has the patch for this CVE but is for ~arch because of it's systemd dependency (repoman issues)

futhermore if you dig up the Fedora bug for this issue, they disagree it's even a dbus bug and a problem with apps like 'spice'

anyway, nothing for freedesktop-bugs@ to do here, happy hunting security@ for those buggy setuid apps down (like spice)
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2012-09-24 06:47:45 UTC 
i'm dropping the patch from next dbus version since it will never land upstream, so you have until then to deal with the buggy apps (like spice :-)
Comment 4 Agostino Sarubbo gentoo-dev 2012-09-24 10:53:27 UTC 
I would just point out that upstream has rejected that patch.
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2012-09-24 11:06:16 UTC 
(In reply to comment #4)
> I would just point out that upstream has rejected that patch.

that's why I said in Comment #3 this is only temporary until the setuid reverse dependencies have been fixed...
Comment 6 Samuli Suominen (RETIRED) gentoo-dev 2012-09-29 16:32:52 UTC 
1.6.8 in Portage with...

http://cgit.freedesktop.org/dbus/dbus/commit/?id=23fe78ceefb6cefcd58a49c77d1154b68478c8d2

The another part of the fix is in dev-libs/glib-2.34.0 here:

http://git.gnome.org/browse/glib/commit/?id=d6cbb29f598d677d5fc1c974cba6d9f646cff491

CCing gnome@ for above ^^ to get it backported into 2.32 series and for stabilization.
Comment 7 Pacho Ramos gentoo-dev 2012-09-29 16:54:51 UTC 
This is the patch for glib-2.32... but I don't have time to apply and commit it, Samuli, if you have time now for that feel free to commit:
http://git.gnome.org/browse/glib/commit/?h=glib-2-32&id=4c2928a54482913cf236bff0e66650a8f47e17ea
Comment 8 Samuli Suominen (RETIRED) gentoo-dev 2012-09-29 17:19:35 UTC 
Patch imported to =dev-libs/glib-2.32.4-r1.

Please test and stabilize:

=sys-apps/dbus-1.6.8
=dev-libs/glib-2.32.4-r1
=dev-util/gdbus-codegen-2.32.4 (from bug
Comment 9 Samuli Suominen (RETIRED) gentoo-dev 2012-09-29 17:21:59 UTC 
(In reply to comment #8)
> Patch imported to =dev-libs/glib-2.32.4-r1.
> 
> Please test and stabilize:
> 
> =sys-apps/dbus-1.6.8
> =dev-libs/glib-2.32.4-r1
=dev-util/gdbus-codegen-2.32.4 (from bug 427544)
and new dbus-glib and dbus-python from bug 416725
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2012-10-02 15:41:08 UTC 
Stable for HPPA.
Comment 11 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-10-04 08:27:50 UTC 
x86 stable (systemd code rolled to -r1)
Comment 12 Agostino Sarubbo gentoo-dev 2012-10-04 19:30:05 UTC 
amd64 stable
Comment 13 John J. Aylward 2012-10-06 06:46:36 UTC 
Is there a reason that the 1.6.8 ebuild has systemd support missing while 1.6.2 and 1,6,8-r1 have the use flag set up for it?

I'd rather not have to unmask the -r1 just for systemd support on amd64 since 1.6.2 was already stable with it.
Comment 14 Markus Meier gentoo-dev 2012-10-06 10:49:57 UTC 
arm stable
Comment 15 Anthony Basile gentoo-dev 2012-10-14 05:12:42 UTC 
stable ppc ppc64
Comment 16 Matt Turner gentoo-dev 2012-10-14 05:37:17 UTC 
alpha stable
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2012-10-14 14:56:49 UTC 
ia64/m68k/s390/sh/sparc stable
Comment 18 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-14 18:04:15 UTC 
Thanks, everyone.

Filing a new GLSA request.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2014-06-01 14:29:50 UTC 
This issue was resolved and addressed in
 GLSA 201406-01 at http://security.gentoo.org/glsa/glsa-201406-01.xml
by GLSA coordinator Chris Reffett (creffett).